OAuth Clients
OAuth clients are applications that can authenticate with OctoMesh. Every application that accesses OctoMesh APIs — whether a web application, a background service, or a CLI tool — must be registered as a client.
Accessing OAuth Clients
Navigate to Identity > Clients to access the client management interface.
The list shows all registered clients:
| Column | Description |
|---|---|
| Client ID | Unique identifier for the client |
| Name | Display name of the client |
| Enabled | Whether the client is active |
| URI | The client's base URL |
Toolbar Actions
| Button | Description |
|---|---|
| New Client | Register a new client application |
| Search | Filter clients by ID or name |
| Export to Excel | Export the client list to an Excel file |
| Export to PDF | Export the client list to a PDF file |
| Refresh Data | Reload the client list |
Row and Context Actions
| Action | Description |
|---|---|
| Edit | Open the client in the edit form |
| Delete | Delete the client (context menu, with confirmation) |
Creating a Client
Click New Client to open the client creation form.
Basic Information
| Field | Required | Description |
|---|---|---|
| Client ID | Yes | Unique identifier (cannot be changed after creation) |
| Client Name | Yes | Display name for the client |
| Client URI | No | Base URL of the client application |
| Client Secret | No | Secret for confidential clients (device code, client credentials) |
Options
| Option | Description |
|---|---|
| Require Client Secret | Whether the client must authenticate with a secret |
| Enabled | Whether the client can be used for authentication |
| Offline Access (Refresh Tokens) | Allow the client to request refresh tokens |
Allowed Grant Types
Select which OAuth 2.0 grant types the client can use:
| Grant Type | Use Case |
|---|---|
| authorization_code | Web applications with browser-based login |
| client_credentials | Service-to-service authentication (no user context) |
| urn:ietf:params:oauth:grant-type:device_code | Devices and CLI tools without a browser |
| refresh_token | Refresh expired access tokens |
Redirect URIs
Configure where the Identity Service is allowed to redirect after authentication. Click the Add button to add entries.
Each redirect URI must be a full URL (e.g., https://myapp.example.com/callback/).
Post Logout Redirect URIs
Configure where the Identity Service redirects after logout. Click the Add button to add entries.
Allowed CORS Origins
Configure which origins are allowed for cross-origin requests to the Identity Service. Click the Add button to add entries.
CORS origins must not have a trailing slash (e.g., https://myapp.example.com).
Allowed Scopes
Configure which API scopes the client can request. Click the Add button to add entries. Common scopes:
| Scope | Description |
|---|---|
openid | Required for OIDC — provides user identifier |
profile | User profile information (name) |
email | User email address |
role | User roles |
octo_api | Full access to all OctoMesh APIs |
octo_api.read_only | Read-only access to all OctoMesh APIs |
Click Save to register the client or Cancel to discard.
Editing a Client
Click Edit on a client row to open the edit form. The Client ID is read-only. All other fields can be modified.
Updating the Client Secret
In edit mode, the existing secret is not displayed (it is stored encrypted). To set a new secret:
- Click Set New Secret
- Enter the new secret
- Click Save
Deleting a Client
Right-click a client and select Delete. Confirm the deletion in the dialog.
Deleting a client immediately prevents all applications using that client ID from authenticating. Make sure the client is no longer in use before deleting it.
Default Clients
The following clients are created automatically during system setup:
| Client ID | Type | Purpose |
|---|---|---|
octo-cli | Device Code | OctoMesh command-line tool |
octo-idenityServices-swagger | Authorization Code (PKCE) | Identity API Swagger UI |
octo-data-refinery-studio | Authorization Code (PKCE) | Data Refinery Studio |